A web service is an application whose functionality and interfaces are exposed through open technology standards including the eXtensible Markup Language (XML), SOAP, the Web Service Description Language (WSDL) and HTTP(S). A web service client (WSC) sends a SOAP message to the endpoint (identified by a URI) of a web service provider (WSP); after receiving the request, the WSP responds appropriately with a SOAP response. The built-in openness of these technologies though creates security risks. Initially, securing these web services communications was addressed using transport level security in which the complete message was encrypted and transmitted using Secure Sockets Layer (SSL) with mutual authentication. But with current enterprise topologies (including proxies, load balancers, data centers, and the like) security must now be addressed when intermediaries are involved. Web services must be prepared to:
Pass fine-grained security data (for example, identity attributes for authorization).
Enable one or more trusted authorities to broker trust between communicating entities.
Maintain security on a per message basis.
Maintain transport layer independence.
These requirements call for message level security (also referred to as application level security and end-to-end security) in which only the content of the message is encrypted. Message level security embeds all required security information in a message's SOAP header. Additionally, encryption and digital signatures can be applied to the data itself. The advantages of message level security are that:
Security stays with the message through all intermediaries, across domain boundaries, and after the message arrives at its destination.
Security can be selectively applied to different portions of the message.
Security is independent of the application environment and transport protocol.
To address message level security in web services communications, organizations such as the Organization for Advancement of Structured Information Standards (OASIS), the Liberty Alliance Project and the Java Community Process (JCP) have proposed specifications based on open standards and from them OpenSSO Enterprise has implemented The Security Token Service using the WS-Trust specification and Security Agents.